-
Notifications
You must be signed in to change notification settings - Fork 48
Fix pprof broad exposition #2821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -68,6 +68,7 @@ func (r *FlowCollector) Validate(_ context.Context, fc *FlowCollector) (admissio | |||||||||||||
| v.validateAgent() | ||||||||||||||
| v.validateFLP() | ||||||||||||||
| v.warnLogLevels() | ||||||||||||||
| v.warnProfiling() | ||||||||||||||
| v.warnLokiDemo() | ||||||||||||||
| return v.warnings, errors.Join(v.errors...) | ||||||||||||||
| } | ||||||||||||||
|
|
@@ -87,6 +88,21 @@ func (v *validator) warnLogLevels() { | |||||||||||||
| } | ||||||||||||||
| } | ||||||||||||||
|
|
||||||||||||||
| func (v *validator) warnProfiling() { | ||||||||||||||
| warning := "This is for debugging purpose only. The profiling port should not be exposed, you can access it through local port-forwarding." | ||||||||||||||
| if v.fc.Agent.EBPF.Advanced != nil { | ||||||||||||||
| if env, ok := v.fc.Agent.EBPF.Advanced.Env["PPROF_ADDR"]; ok && env != "" { | ||||||||||||||
| v.warnings = append(v.warnings, "Profiling is enabled on the eBPF agent. "+warning) | ||||||||||||||
| if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") { | ||||||||||||||
| v.warnings = append(v.warnings, "Profiling is enabled for all network interfaces, make sure access is restricted e.g. with a network policy.") | ||||||||||||||
| } | ||||||||||||||
|
Comment on lines
+96
to
+98
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win Broad-bind check misses the IPv6 wildcard
🛡️ Proposed fix- if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") {
+ if strings.HasPrefix(env, ":") || strings.HasPrefix(env, "0.0.0.0:") || strings.HasPrefix(env, "[::]:") {
v.warnings = append(v.warnings, "Profiling is enabled for all network interfaces, make sure access is restricted e.g. with a network policy.")
}📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||
| } | ||||||||||||||
| } | ||||||||||||||
| if v.fc.Processor.Advanced != nil && v.fc.Processor.Advanced.ProfilePort != nil && *v.fc.Processor.Advanced.ProfilePort > 0 { | ||||||||||||||
| v.warnings = append(v.warnings, "Profiling is enabled on flowlogs-pipeline. "+warning) | ||||||||||||||
| } | ||||||||||||||
| } | ||||||||||||||
|
|
||||||||||||||
| func (v *validator) warnLokiDemo() { | ||||||||||||||
| if v.fc.Loki.Mode == LokiModeMonolithic && v.fc.Loki.Monolithic.InstallDemoLoki != nil && *v.fc.Loki.Monolithic.InstallDemoLoki { | ||||||||||||||
| v.warnings = append(v.warnings, "InstallDemoLoki option is enabled. This is useful for development and demo purposes but should not be used in production.") | ||||||||||||||
|
|
||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
Failed
helm dependency updateis silently swallowed.cd helm && helm dependency update --skip-refresh ; cd ..— the trailing; cd ..always exits0, masking a non-zero exit fromhelm dependency update. Make sees a successful step and proceeds to install with potentially stale/missing chart dependencies.🛠️ Proposed fix
📝 Committable suggestion
🤖 Prompt for AI Agents